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Sandbox 
Terms and Conditions 


Scope of the ICO’s regulatory sandbox (the “sandbox”) 


These Terms and Conditions, include the terms set out in the sandbox entry 
letter (these “Terms and Conditions”). In consideration of the mutual 
obligations of the parties set out under these Terms and Conditions, the 
parties agree to be bound by these Terms and Conditions. 


The support offered by the ICO (“us”, “we”), to you, the organisation which 
iS participating in the sandbox (“you”, “your”, or “participant”) through the 
sandbox is solely in relation to the proposition for an innovative product or 
services, Outlined in your application (the “Proposed Innovation”). The 
direct benefits provided by the ICO via the sandbox can only be applied to 
innovations, products or services to the extent that they are offered or 
provided in the United Kingdom. 


We will use our reasonable skill and care in providing our feedback, steers, 
guidance, any exit report or document or other advice (“Feedback”). Unless 
we expressly document otherwise, our Feedback will be based on the specific 
information that you share with us and our understanding of the UK data 
protection law framework in force at the time ie the Data Protection Act 2018 
and the UK GDPR. We cannot provide Feedback on compliance with 
legislation in other jurisdictions, such as the EU GDPR. Only specific data 
protection law issues are open to the ICO’s regulatory feedback and support 
through the sandbox. 


As a result, our Feedback should not be viewed as a full examination or audit 
and will not identify all of the risks associated with the Proposed Innovation, 
your activities or all possible areas of non-compliance. This remains the case 
even if we raise issues that you have not expressly brought to our attention. 


You and we agree to co-operate to help you and us get the most out of your 
participation in the sandbox. You agree to remain open and transparent with 
us at all times in relation to the Proposed Innovation including before, during 
and after your time in the sandbox. If you are aware of any information that 
you believe would affect the ICO’s position, you must inform us immediately. 


You agree that you remain responsible for your compliance, and your 
Proposed Innovation’s compliance, with all legal and regulatory obligations, 
whether in respect of data protection law or otherwise. 
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You are not required to comply with the Feedback, and you are always free 
to take your own independent legal advice. Of course, if you choose not to 
follow our Feedback you might not be able to continue in the sandbox, and 
you might be acting in breach of data protection law and therefore you may 
not be protected by the comfort from enforcement set out in the entry letter. 


The Feedback is to you only and is specific to your circumstances. It must 
not be shared with any other party (either in part or in full) without our 
express written permission. This does not prevent you from disclosing the 
Feedback to your employees, agents, consultants, advisors, representatives 
or sub-contractors, provided that they are subject to obligations to maintain 
the confidentiality of the advice and not to disclose it to third parties, and 
that the Feedback is only used for the purposes of advising or assisting you. 


Any Feedback is given without prejudice to any decision or action that we 
may take in the future, including any enforcement or other regulatory action. 
The positions reflected in the Feedback may change over time, for example 
on receipt of further information by us, or following a change in law, court 
judgments, regulatory guidance or ICO policy. 


Being accepted into the sandbox does not prevent regulatory action by us or 
by any other competent data protection authority or by any other regulatory 
body or authority. The Feedback does not affect rights conferred on third 
parties (Such as your customers), nor does it bind any courts, and may not 
reflect the views of any other data protection authority. 


[To be included only where the participant is acting as a lead on behalf of a group: 


1:11 


You and we acknowledge that you are acting as a lead organisation, and the 
development of the Proposed Innovation is shared among the persons and 
organisations listed below. You acknowledge and agree that our relationship 
in relation to the sandbox is only with you. You agree to indemnify us from 
and against any claim or complaint brought by a third party, including those 
listed below, under or in relation to these Terms and Conditions or your 
participation in the sandbox. 


List of persons and organisations you are working with on the Proposed 
Innovation: 


(A) [Add name, address and company number (if applicable).]] 


Sandbox safeguards 
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We may require safeguards to be built into the sandbox to protect the rights 
of data subjects. For example, you may need to provide disclosures and 
protections to data subjects, and may be required to have arrangements to 
compensate data subjects for any losses suffered in connection with 
particular tests. We will determine the appropriate safeguards on a case-by- 
case basis, with the aim of ensuring that protections are sufficient but at the 
same time not unnecessarily burdensome on you considering your sandbox 
activities. Failure to implement any such safeguards or protections may result 
in your involvement in the sandbox being terminated in line with these Terms 
and Conditions and/or in our taking formal enforcement action against you 
(and you therefore may not be protected by the comfort of enforcement set 
out in the entry letter). 


The scope of the ICO’s role in the sandbox 


We will use reasonable care in our dealings with you in relation to the 
sandbox and your Proposed Innovation. However, given the nature of the 
sandbox and of our Feedback (and subject to clause 3.2), we do not accept 
any liability or responsibility for: (i) any opinions expressed or information 
included in any of our Feedback, (ii) the time it may take for us to provide 
any Feedback, and/or (iii) any other liability under or in relation to the 
sandbox, your Proposed Innovation and/or these Terms and Conditions, 
whether in contract, tort (including negligence) or otherwise. 


Nothing in these Terms and Conditions seeks to limit our liability in any way 
which is not permitted by law, including our liability to you for fraud or 
fraudulent misrepresentation. 


Overview of the engagement process 


The sandbox engagement process is flexible and is not designed to be a ‘one 
size fits all’ solution. We understand that each participant's journey through 
the sandbox will be unique, depending on the specific options used, the 
solution being tested and the extent of data subject involvement. The ICO 
case officer assigned to you will discuss this with you at the kick-off meeting. 


We will collaborate and agree an approach for your journey through the 
sandbox (the “Sandbox Plan”), which may specify testing parameters, 
measures for outcomes, reporting requirements, safeguards, timescales, 
milestones and term of the sandbox. You must fully comply with your 
obligations set out in the Sandbox Plan. We will monitor your performance 
against the Sandbox Plan through regular review meetings, during which you 
will need to demonstrate, to our reasonable satisfaction, that you are on 
course to fulfil all of the requirements set out in the Sandbox Plan, by the 
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applicable dates. As you progress through the Sandbox, we may from time 
to time, ask you to comply with further obligations which we reasonably 
consider to be necessary, which you must fulfil, in addition to the 
requirements set out in your Sandbox Plan. 


As part of the Sandbox Plan, you will be required to develop and obtain the 
ICO’s approval for an exit plan to ensure the sandbox can be closed down at 
any point whilst minimising the potential detriment to data subjects (the 
“Exit Plan”). 


Term of the sandbox 


Unless extended by us, or terminated in accordance with these Terms and 
Conditions, your involvement in the sandbox terminates on the expiry of the 
agreed term under the Sandbox Plan. If the ICO ceases to operate the 
sandbox, your participation in the sandbox will automatically cease with 
immediate effect. 


If you have not completed all of your required obligations in the Sandbox 
Plan by the end of the relevant term of your Sandbox Plan, we may, acting 
entirely in our discretion, either grant you an extension to your term in the 
sandbox or terminate your involvement in the sandbox. Furthermore, if at 
any time during your participation in the sandbox, we consider that you are 
not engaging with us in a sufficiently cooperative or collaborative manner, 
then we may, acting entirely in our discretion, and without prejudice to our 
other rights and remedies, temporarily suspend your involvement in the 
sandbox (for a period which we deem to be necessary) until we are satisfied 
that you have sufficiently addressed such concerns. However, when 
considering what action to take under this clause, we will always act 
reasonably and will take into account any extenuating circumstances which 
may have delayed or otherwise affected your progress within the sandbox. 


Either you or the ICO may at any time, on two week’s written notice, 
terminate your involvement in the sandbox. 


The ICO may at any time terminate, with immediate effect, your involvement 
in the sandbox and cease providing Feedback and any other regulatory 
support if: (i) there is a conflict of interest as defined in clause 10; (ii) you 
commit a material or repeated breach of the Sandbox Plan or these Terms 
and Conditions, which is not capable of remedy; or (iii) the ICO (acting 
reasonably) determines that your conduct, either in the course of or outside 
of the sandbox, is contrary to the public interest or is likely to bring the ICO 
into disrepute, or is otherwise deemed by us to be contrary to the nature of 
the sandbox (including where in our opinion you consciously withhold 
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information from us where you should reasonably have disclosed it, or where 
you take material action concerning the Proposed Innovation without 
informing or involving us, or where you otherwise act in a manner which we 
deem to be inappropriate). 


As we may request, you must carry out and adhere to your Exit Plan upon 
the termination of the sandbox, either at the expiry of the agreed term or 
upon earlier termination however arising. 


You acknowledge that due to the highly innovative nature of the sandbox, 
the ICO is entitled to suspend or terminate the sandbox project at any time 
should the sandbox trigger detrimental unexpected consequences for the 
ICO, applicants or data subjects. 


Intellectual property 


You will retain your intellectual property rights in, and responsibility for, all 
content and materials that you contribute to the sandbox, which either (i) 
already exist at the start of your involvement with the sandbox project; or 
(ii) are otherwise developed by you outside of the sandbox (“Existing 
Intellectual Property”). You will only submit Existing Intellectual Property 
that you have the right to share, use and develop, and you will fully comply 
with any third party licenses relating to the Existing Intellectual Property. 


All intellectual property rights obtained, created or developed by you during 
your participation in the sandbox relating to your Proposed Innovation (“New 
Intellectual Property”) will vest in you, subject to any contrary agreement 
you may have with a third party. 


The ICO may use Existing Intellectual Property and New Intellectual Property 
as is reasonable to enable it to exercise its rights and perform its functions 
or obligations in connection with the sandbox (the “Use”), and you grant or 
must procure the grant of royalty-free and non-exclusive licences to the ICO, 
for the Use of the Existing Intellectual Property and the New Intellectual 
Property. 


You warrant and undertake to ensure that the Use by the ICO of any Existing 
Intellectual Property and/or New Intellectual Property will not infringe the 
rights of any third party. 


You agree to defend, indemnify, and hold harmless the ICO from and against 
any liability or loss (including, without limitation, any legal costs) incurred by 
the ICO as a result of, or in connection with, the ICO’s Use of Existing 
Intellectual Property and New Intellectual Property. 
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Confidentiality 


You must clearly identify to the ICO, in writing, which information you provide 
to us you consider to be your confidential information and provide clear 
reasons why you regard such information to be confidential (“your 
confidential information”). We will protect your confidential information 
as we do our own commercially sensitive information. 


During the term of the sandbox and for so long as your confidential 
information remains confidential in nature and not available to the public, we 
will not use or disclose your confidential information without your prior 
written consent: (i) other than to provide Feedback or other support in 
connection with the sandbox or to fulfil any of the ICO’s functions or 
obligations, including as set out in this clause 7; and/or (ii) unless permitted 
or required to do so by law, statutory directions, court orders or government 
regulations; and/or (iii) unless otherwise permitted under these Terms and 
Conditions. 


The ICO may use information obtained from you (including your confidential 
information) to help develop and provide guidance, policies and resources 
(on an anonymised basis) to the public. 


The ICO may disclose your confidential information to such of its employees, 
agents, consultants, advisors or representatives to the extent that such 
disclosure is reasonable in relation to the sandbox, including for us to provide 
Feedback, and for the purposes set out in this clause 7, provided always that 
such employees, agents, consultants, advisors or representatives are made 
aware of and comply with the obligations of confidentiality under these Terms 
and Conditions. 


The ICO may disclose any information received from or relating to you, 
including your confidential information, to any regulator or public body in the 
UK or elsewhere (including, without limitation, the Centre for Data Ethics and 
Innovation), where such disclosure by the ICO is made for the purposes of: 
(a) verifying any claim made by you when applying for the sandbox; (b) 
facilitating the performance of the ICO’s functions; or (c) complying with any 
specific legal or regulatory obligation. 


We are bound by the Freedom of Information Act 2000 and as such can be 
asked to disclose certain information that we hold, which could include 
information which you give to us concerning you and/or your involvement in 
the sandbox. The ICO will endeavour to let you know if we are asked to share 
any information that relates to you and will seek to apply relevant 
exemptions from disclosure where appropriate. 
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Should you receive any confidential information belonging to the ICO, you 
will keep that information confidential and only use it for the purpose for 
which it was provided to you. You will protect that confidential information 
as you do your own confidential information. At any time, at our request you 
shall securely return or securely destroy our confidential information in your 
possession or control. The obligations in this clause 7.7 shall continue during 
the term of the sandbox and for so long afterwards as that confidential 
information remains confidential in nature and not available to the public. 


Communications relating to the sandbox 


A condition of your participation in the sandbox is that you provide us with 
your consent to make public that you are participating in the sandbox along 
with a short description of your proposition. We will consult with you on the 
short description we use ahead of publication. 


The ICO may also, at its discretion, make public anonymised, aggregated 
information on the sandbox and its participants. 


Your involvement in the sandbox does not represent an approval or 
endorsement by the ICO of you or your Proposed Innovation. Neither you 
nor anyone acting on your behalf may make any statement or 
announcement, either expressly or by implication, that suggests that the ICO 
has approved, endorsed, or otherwise accepted that you or your Proposed 
Innovation complies with regulatory requirements as a result of your 
involvement. 


Your organisation is not permitted to communicate to any third party that 
you are in the sandbox, before, during, or after the sandbox period, without 
the ICO’s express written and specific consent. This includes, but is not 
limited to, communications to any organisation, media outlet, existing or 
future customers, and data subjects. 


Following your exit from the sandbox, whenever or howsoever arising, we 
reserve the right to publish a statement or report, including on our website, 
summarising your involvement in the sandbox, including the outcomes of 
your time in the sandbox. Where reasonably possible, we will seek your 
input on the drafting of this statement and/or report and will seek to take 
such input into account, but for the avoidance of doubt, we retain the right, 
acting entirely in our own discretion, to publish the statement and/or report 
and to determine its contents, as well as a right to determine timescales for 
its publication. 


Privacy and data protection 
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Unless otherwise agreed, any personal data (such as your staff’s contact 
details) provided to the ICO as part of your participation in the sandbox will 
be processed by the ICO as a data controller in line with our privacy notice. 


You are responsible for providing a copy of the ICO’s privacy notice to any 
employees or other data subjects whose personal data you share with the 
ICO during your participation in the sandbox. 


Given that the ICO will only be processing minimal amounts of business- 
related personal data in relation to your time in the sandbox, we do not at 
this stage deem it necessary to enter into a separate data sharing agreement 
with you. However, you must ensure that any transfer of personal data to the 
ICO is completed in compliance with applicable law (including applicable data 
protection law). 


The ICO will implement and maintain appropriate technical and 
organisational measures to ensure a level of Security appropriate to the risk, 
including from unauthorised or unlawful processing of personal data, or 
accidental loss or destruction of, or damage to, that personal data, and will 
process all personal data received from you in compliance with the provisions 
and principles set out in data protection legislation. 


You acknowledge and agree that your participation in the sandbox does not 
affect your responsibility or liability if personal data is corrupted, damaged 
Or improperly used or disclosed by you in the course of the sandbox. 


Conflict of Interest 


You acknowledge and undertake to discuss at the application stage, and as 
and when one may arise, any actual or potential conflict of interest (“conflict 
of interest”). Such a conflict of interest may arise, for example, from any 
connections or associations that you or any of your employees may have with 
individuals at the ICO, which may include: 


(a) spouses, partners, children, parents or other relatives; 
(b) business partners, employees, managers or directors; and/or 


(c) any former ICO staff member who is employed by you, appointed to 
your board, or who has a substantial interest in you. 


As a parallel internal process, we will (in line with the ICO Code of Conduct) 
declare any potential conflicts of interest with you as soon as reasonably 
practicable after they become apparent to us. 
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11. General 
11.1 Your involvement in the sandbox does not create a joint venture, co- 


ownership, partnership or agency relationship between you and the ICO. 
Neither you nor the ICO will have the authority to incur, assume, or create, 
orally or in writing, any liability, obligation, or undertaking of any kind in the 
name of, or on behalf of, or in any way binding upon, the other. 


We retain the right to amend these Terms and Conditions at any time by 
giving you reasonable notice in writing. 


General words within these Terms and Conditions must not be given a 
restrictive meaning simply because they are followed by particular examples 
intended to be embraced by the general words. 


Only you and we have rights under these Terms and Conditions. A person 
who is not a party to these Terms and Conditions, has no rights to enforce it 
or enjoy any benefits under it. 


These Terms and Conditions, including the terms of the sandbox entry letter, 
constitute the whole and only agreement between us and you relating to your 
participation in the sandbox. You acknowledge that you have not relied on 
any representation made by or on behalf of the ICO which is not set out in 
these Terms and Conditions. If there is any conflict between the terms of the 
sandbox entry letter and the terms set out in this document, the terms set 
out in this document will prevail. 


Remedies under these Terms and Conditions are cumulative and may be 
exercised concurrently or separately. 


If any provision of the Terms and Conditions is prohibited by law or judged 
by a court to be unlawful, void or unenforceable, the provision shall, to the 
extent required, be severed from the Terms and Conditions without 
modifying the remaining provisions. 


Any waiver or relaxation, either partly or wholly, of any of the Terms and 
Conditions shall be valid only if it is communicated to the other in writing and 
expressly stated to be a waiver, and shall not constitute a waiver of any right 
or remedy arising from any other breach of the Terms and Conditions. 


Any formal notice to be given under the Terms and Conditions shall be in 
writing and may be served by personal delivery, first class recorded post or, 
e-mail to the address of you or us (as applicable) set out in the sandbox 
entry letter, or such other address as you or we have notified to other for 
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formal notices. Notices shall be deemed served on the next working day after 
delivery. An email shall be deemed delivered when sent unless an error 
message is received or, where an out of office message is received, on the 
date the out of office message states the recipient is to return. 


11.10 Any matter, claim or dispute arising out of or in connection with these Terms 
and Conditions, whether contractual or non-contractual, is to be governed by 
and determined in accordance with English law. You and we irrevocably 
submit to the jurisdiction of the English courts. 


